tag:blogger.com,1999:blog-65320112160652087772018-03-05T20:59:07.379-08:00Weapons of Mass AnalysisThe personal ravings of a security consultant that do not fit into his official channels. Want to see all his excuses not to work on WaspVM, MOSREF and IOActive? Here you go!swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-6532011216065208777.post-3815255095726368942011-06-09T18:43:00.000-07:002011-06-09T18:49:23.279-07:00Solving Binary 300 From the Defcon 2011 Quals Using AndBugBinary 300 was provided in the form of a memory dump, a few encrypted files, and a classes.dex. For this walkthrough, we will use <a href='http://github.com/swdunlop/andbug'>AndBug</a> and <a href='http://code.google.com/p/android-apktool'>ApkTool</a> for analysis, and python for implementing a cipher I wouldn't use to protect HBGary's address book.. Let alone my phone pr0n.<br /><br />The classes.dex had an invalid checksum and version (666); updating the version to 035 and regenerating the checksum let us use dexdump to dump Dalvik pseudocode from classes.dex.<br /><br />Immediately, it became obvious that this was "LokPixLite," an image-encryption app in the Android Market; we downloaded LPL from the market, compared the dex files to verify our assumption using <a href='http://code.google.com/p/androguard'>AndroGuard</a>, and rebuilt the dex file using "apktool d -d" and "apktool b -d" before installing into an emulator.<br /><br />We then used the emulator to encrypt a few reference images with a known password, then went to the decompiled source, we see there's a rat's nest of obfuscated methods in class "g" that are packed full of references to "XOR" and "SHA1". What we need to sort this out is some context.. A trace of call flow with arguments will do nicely:<br /><pre>$ ./andbug trace -p com.closecrowd.lokpixlite com.closecrowd.lokpixlite.g</pre> <br />This command instructs AndBug to connect to LokPixLite, and use JDWP to produce METHOD_ENTRY events for every method of "g"; we then decrypt one of our images by submitting the password:<br /><pre>[::] setting hooks<br />[::] hooked com.closecrowd.lokpixlite.g<br />[::] hooks set<br />[::] thread &lt;1> main com.closecrowd.lokpixlite.g.d()Ljava/lang/Boolean;:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;1> main com.closecrowd.lokpixlite.g.b()V:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;1> main com.closecrowd.lokpixlite.g.d()Ljava/lang/Boolean;:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;10> password com.closecrowd.lokpixlite.g.a(Ljava/lang/String;)V:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br /> p1 = test<br />[::] thread &lt;10> password com.closecrowd.lokpixlite.g.e()V:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;10> password com.closecrowd.lokpixlite.g.b(Ljava/lang/String;)[B:0<br /> p0 = test<br />[::] thread <1> main com.closecrowd.lokpixlite.g.d()Ljava/lang/Boolean;:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;10> loading com.closecrowd.lokpixlite.g.a()V:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;10> loading com.closecrowd.lokpixlite.g.a()V:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;10> loading com.closecrowd.lokpixlite.g.a()V:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br />[::] thread &lt;10> loading com.closecrowd.lokpixlite.g.a([BIZ)[B:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br /> p2 = 16<br /> p1 = 830009846960<br /> p3 = False<br />[::] thread &lt;10> loading com.closecrowd.lokpixlite.g.b([BIZ)[B:0<br /> this = &lt;obj Lcom/closecrowd/lokpixlite/g; #c1406db458><br /> p2 = 16<br /> p1 = 830009846960<br /> p3 = False</pre><br />We can see our password, "test" is submitted to b(Ljava.lang.String;) to get a [B (byte array) back, which is then stashed in a global variable. Later, we see a byte array with the encrypted data passed to b([BIZ]), which returns our plaintext image.<br /><br />At this point, we have found the two key functions in the cipher -- the conversion of a password to a key, and applying the key to the ciphertext. We flip back to static analysis, at this point with our context data to analyze the code. The method teases apart pretty easily with context, resulting in the following python implementation:<br /><pre>def decrypt(data, key):<br /> mask = sha1sum(key)[:8]<br /> return strxor(data[16:], cycle(mask))</pre><br />After that, it is simply a round of using strings to find all the passwords in the heap dump, and applying them in turn until we get a valid JPEG decode. From there, the password's easy to read if you squint, and it's on to the next level.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com3tag:blogger.com,1999:blog-6532011216065208777.post-90321602461218546482011-02-16T18:30:00.002-08:002011-02-16T18:36:50.491-08:00Closing the Loop -- Re-Engineering Android ApplicationsA lot of people have been asking for slides or more tutorial material for Android reverse engineering after my talks at BSides and Shmoocon. Problem is, neither of these cons have actually recorded the talks -- instead, I have put together a screencast demonstrating the workflow involved in re-engineering an application, adding a password logger and verifying its operation. This has two benefits -- first, it demonstrates some of these techniques without being redundant with my "Android Reverse Engineering Using the Emulator" and "Android Anatomy" talks, and it serves as a good demonstration for non-hackers, showing how easy it is to patch applications.<br /><br /><iframe title="YouTube video player" width="640" height="390" src="http://www.youtube.com/embed/zIESqZ4Vp3E" frameborder="0" allowfullscreen></iframe><br /><br />This technique is very common in the Android Market right now, with people modifying apps for good and bad reasons -- at some point, Google is going to have to do some level of verifing "good" applications and "responsible" developers, because the current market is packed with apps that demonstrate varying levels of naughtiness.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-39826240842561334132011-01-31T15:29:00.000-08:002011-01-31T15:32:41.706-08:00mp3collect.go -- reorganizing mp3 files by hashes of their mpeg-1 content<p><br />A friend asked me a couple weeks ago for a sample of what a "real" <a href='http://golang.org'>Go</a> program looks like. I have been using Go quite a bit for fuzzers and analysis packages at IOActive for the last few months, but I obviously can't share those with anyone else. On the flight back from Shmoocon, I decided to write a Go program to solve a problem that has been slowly building up in my ~/music directory.<br /></p><p><br />It's a real trainwreck; between cycles of using iTunes and copying my music between devices I now have this mass of duplicated songs that have tweaked ID3 tags so I cannot simply de-duplicate them using hashes. The solution is to calculate a hash for the actual MPEG frames frames in each file and ignore all the helpful metadata.<br /></p><p><br />The program does just that by constructing hard links between a file and the hash of its media contents; duplicates are reported and left intact. The plan is to go back through those files and normalize their ID3 metadata using a program that doesn't try to "organize" my music -- <a href='http://code.google.com/p/quodlibet/'>Quod Libet</a>. (Or the Android music player, which is too dumb to attempt any of this.) There is, of course, room for improvement -- it does not handle FLAC, OGG or M4A files, which do occur in my library due to certain stores using non-MP3 formats. (Trent Reznor, Rhythmbox and iTunes, respectively.) It also should have a way of properly handling cross-filesystem collections by copying the file instead of hardlinking.<br /></p><br /><br /><a href='https://gist.github.com/805058'>mp3collect.go</a>swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-79981907916848712912010-12-21T03:08:00.000-08:002010-12-21T03:35:02.899-08:00Introducing Fuzzex, Generating Random Data From Regexes<p><a href='https://gist.github.com/749796'>Fuzzex</a> produces sequences of random bytes using a generation language that is similar to that commonly used by regular expressions for parsing data. This similarity enables testers who are familiar with regular expressions to produce test data that can satisfy an application's superficial input validation and parsing without getting bogged down in specialized frameworks such as Sulley or Peach.</p><p>In situations where the regular expressions used for parsing and validation are available, Fuzzex enables using these expressions directly to develop tests that demonstrate potential weaknesses and exercise internal surfaces.</p><p>Example, a Very Permissive Email Address Regex:</p><pre>&gt;&gt;&gt; fuzzex.generate( '[^@]+@([^.]+)([.][^.]+)+' )<br />'\x07m\x10@\x0cI\x12%.\x1a.f.:'</pre>swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-66803822360417090852010-11-18T17:20:00.000-08:002010-11-18T17:22:06.326-08:00Spot the Crypto BugHad a fun crypto bug crop up in a discussion, today; the code in question, functions changed to protect the guilty:<br /><br /><pre> iv := read_cprng( 16 )<br /> enc := aes_enc( key )<br /> ciphertext := cbc_enc( iv, enc, iv + plaintext )</pre><br /><br />Where cbc_enc is a function that accepts an initialization vector, a block encryption function, and a buffer containing the plaintext to encrypt, and applies that function using the Cipher Block Chaining mode and the initialization vector.<br /><br />Can you spot why, regardless of variance in the IV, given a constant plaintext and key, why the ciphertext never varies?swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-30574438773489056182010-11-14T17:42:00.000-08:002010-11-14T17:55:01.254-08:00Lexical Analysis of C using Python and PlyCode reviewers fall into two camps; those who rely on <a href='http://man.cx/grep(1)'>grep</a> and their favorite text editor for review, and those who rely on a sophisticated language-specific review environment or IDE with a cross-reference generator. Consultants tend to be in the former camp, as getting a customer's random code base into an IDE can be almost as miserable as getting it out.<br /><br />I use a hybrid strategy, involving a simple webapp that does syntax highlighting and <a href='http://man.cx/grep(1)'>grep</a> with a few simple features that lets me combine common browsing habits (history, document tabs and linking) with a minimal expectations environment. It isn't beautiful, or featureful, but it doesn't interrupt my flow.<br /><br />Of course, there's always room for improvement, like a cross-reference of identifiers, and the source files that mention them. This requires simple lexical analysis which is where a smart C programmer goes to <a href='http://en.wikipedia.org/wiki/Flex_lexical_analyser'>Flex</a>. So, where does a Python programmer go? My best guess is <a href='http://www.dabeaz.com/ply/'>Ply</a> -- a Python Lexical Analyzer that merges Lex semantics with Python metaprogramming.<br /><br />So, in WEPMA fashion, <a href='https://gist.github.com/676310'>here is the interesting bit</a>, a lexical analyzer that produces identifiers, line numbers, and tokens indicating the start and end of lexical scopes. It is barely smart enough to filter out comments and strings, and tolerant of unanticipated syntactic elements because, obviously, I couldn't be bothered to implement a full C lexer.<br /><br />Enjoy, and no, you can't have my review tool. :)swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-88885696150356593132010-10-30T17:22:00.000-07:002010-10-30T17:42:43.830-07:00JavaScript, Closures, and Wasteful API'sFirst, read this function: <a href='http://developer.yahoo.com/yui/3/api/YUI.html#method_later'>later (YUI)</a>. I consider this a great example of how framework developers can overreach with abstractions, considering that JavaScript has lexical scope and closures that are fairly easily implemented. Now, read the implementation: <a href='http://developer.yahoo.com/yui/3/api/yui-later.js.html'>YUI-Later.js</a><br /><br />Yahoo has written roughly 30 lines to encapsulate and abstract the simple functionality of passing a thunk to either <a href='https://developer.mozilla.org/en/DOM/window.setInterval'>setInterval</a> or <a href='https://developer.mozilla.org/en/DOM/window.setTimeout'>setTimeout</a>. An example, stripped from Todd Kloots' YUI 3 demo:<br /><pre>var args = [ 1,2 ]<br />Y.later( 50, gizmo, gizmo.foo, args )</pre><br />Could be more simply expressed as:<br /><pre>setTimeout( 50, function( ){ gizmo.foo( 1, 2 ) } )</pre><br />And, hey look, no CDN callout required. No need for a code reviewer to reach out for YUI's documentation to find out the special semantics of YUI, and it explains exactly what it means. And, bonus, fewer keystrokes.<br /><br />Libraries like jQuery and YUI have valuable capabilities, such as concealing all of the W3C's pointless DOM verbosity behind more modern XPath-like selectors. But when these frameworks feel the need to abstract away closures, all I really see is a developer who has lost touch with the clear simplicity of JavaScript.. And start wondering if they get paid by the API function.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-84229772030351335282010-10-18T14:45:00.000-07:002010-10-18T15:02:06.207-07:00Long Polling with Node.JS and ExpressWhen I write tools or algorithms that I want other people to improve or understand, I use Python. When I am writing them for myself, because I'm in a hurry, I use Lisp. (I think in closures and the application of functions, which I occasionally force myself to re-express in classes and methods.) Since Python's Lambda syntax is a great disappointment to me <a href="http://mail.python.org/pipermail/python-dev/2006-February/060415.html">and its father</a>, Guido van Rossum, I occasionally pine for the weird cousin of Lisp we call JavaScript.<br /><br />JavaScript is regarded by Lisp hackers as Lisp without parenthesis, shackled by the problem domain of browser scripting. It's a great, powerful language for people who think in closures, but until the recent introduction of libraries like <a href="http://jquery.org">jQuery</a>, it's also shackled to really cruddy libraries. When Google released V8 under the BSD license, I think many of us immediately ran to check out the source, write a partial general purpose environment, then wandered off to do better things. Like bugfixes for MOSREF. *cough*<br /><br />Ryan Dahl, unlike the rest of us, stuck with it, and fused V8 with the similarly fascinating <a href="http://software.schmorp.de/pkg/libev.html">libev</a> to produce a JavaScript environment for I/O-centric problems that don't live solely within the browser. The resulting Node.JS strikes an interesting balance between minimalism, functionality, and performance thanks to its reliance on existing projects with great characteristics.<br /><br />When I encounter a new language or framework, I fall back on a set of problems dear to my heart -- writing a MUD server. With web frameworks, lately, this has been simplified down into "can I write a <a href="http://en.wikipedia.org/wiki/Comet_(programming)#Ajax_with_long_polling">long-polling</a> message wall with it?" Simple problem, tends to break most simplistic web frameworks simply because requests are often deferred, waiting for an update.<br /><br /><a href="https://gist.github.com/192d8b5e0f00a900cf88">Here it is</a> in <a href="http://nodejs.org">Node.JS</a>, using <a href="http://expressjs.com/">Express</a>, about 50 lines of overcommented code. I'm sure it could be written faster, but probably not as concisely.<br /><br />Next up, making a kobold walk around a message board.. ;)swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-11403199811048248472010-08-12T11:26:00.000-07:002010-08-12T11:28:51.386-07:00More Fun With Nessus ReportsA common grievance for security professionals dealing with Nessus reports is the organization of the report by host or IP address. This makes it difficult for organizing findings by type of vulnerability. This script is a little more complicated than "nsfix", but probably more useful. Enjoy.<br /><br /><a href='http://gist.github.com/521426'>nscross.py</a><br /><br />(I reserve the right to be somewhat embarrassed if the Nessus experts come out of the woodwork with an option to do this, too, from the Nessus GUI..)swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com1tag:blogger.com,1999:blog-6532011216065208777.post-2110018690475660882010-08-11T10:26:00.000-07:002010-08-11T15:29:30.658-07:00Nessus False Positives Getting Underfoot?So.. After you've run the scan, you've found yet another false positive in Nessus due to the idiosyncracies of your environment. Here is a script to purge a particular plugin from a Nessus report so you don't have to redo the scan after fixing your scan parameters.<br /><br /><a href="http://gist.github.com/519349">nsfix.py</a><br /><br />This may work on OpenVAS reports, let me know if it causes a problem. As always, improvements are welcome.<br /><br />Updated: <a href="http://twitter.com/pauldotcom">pauldotcom</a> from Twitter makes an excellent point that this can be achieved using the "Report Filters" interface. I blame my fear of flash guis for not finding this.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com2tag:blogger.com,1999:blog-6532011216065208777.post-79991650827915837152010-07-19T16:17:00.000-07:002010-07-19T16:19:30.653-07:00Cross-Platform Raw Character Input in PythonHandy trick for Python hackers who need to grab a keypress from the terminal but don't want to get bogged down in Curses.<br /><br /><a href='http://gist.github.com/482200'>getch.py</a>swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-23366589893958185462010-06-22T11:57:00.000-07:002010-07-19T16:20:26.789-07:00Using AMAP to Cross-Check NMAPSo, your NMAP results gives you a good list of open ports, but it is obvious that NMAP has lost its mind, trying to figure out what service you are looking at? Sounds like a good time to fire up AMAP, but there's all these ports to type..<br /><br />Well, it's a common enough problem for me that I wrote a script. (Which means it has happened at least twice; it doesn't take much to provoke me into automating a problem.)<br /><br /><a href='https://gist.github.com/9c246ab58fbb29e73b7c'>namap.py</a><br /><br />Use it in good health, and much thanks to the devs of both NMAP and AMAP for writing nice, orthogonal tools with bizarre interfaces that require glue scripts like this..swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-63702726618825397262010-06-13T17:04:00.000-07:002010-06-13T17:11:59.618-07:00It's That Time Again..Wes and I are preparing to send off an ISO for a new version of MalNet in preparation for HitB Amsterdam. Because I am a relentless tease, here is a small screenshot of the new LiveCD:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_82-gntTVtz4/TBVzea5m_DI/AAAAAAAAAHg/bMDEpLZta_8/s1600/mn2-screenshot.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 300px;" src="http://3.bp.blogspot.com/_82-gntTVtz4/TBVzea5m_DI/AAAAAAAAAHg/bMDEpLZta_8/s400/mn2-screenshot.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5482415087847668786" /></a><br /><br />Still using OpenBox and Conky for the desktop, we've moved to Ubuntu Lucid Lynx for the operating system, and there's a whole load of fun new goodies for malware analysts. Even better, we are also including the source in this one, so put the python decompiler down and back away slowly.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-32878985362078057772010-05-31T19:50:00.000-07:002010-05-31T19:54:33.811-07:00Forcing Block Devices to Re-Read Partitions Using IOCTLGot a block device in module that stubbornly refuses to produce dependent partition devices in Linux? (Looking at you, NBD..)<br /><br /><pre><br />#include &lt;fcntl.h><br />#include &lt;sys/mount.h><br /><br />int main( int argc, char** argv ){<br /> if( argc != 2 ) return -1;<br /> int f = open( argv[1], O_RDONLY );<br /> if( f &lt; 1 ) return -2;<br /> return ioctl( f, BLKRRPART );<br />}<br /></pre><br /><br />That or you could just sleep for a while, checking for the existence of /dev/nbdXpX -- but I am an impatient bastard..swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-85475303427738921622010-05-05T15:40:00.000-07:002010-05-05T16:02:30.322-07:00Tactical Use of Symbolic Links in Code ReviewNeed an index of all files that contains a given regex nice and need for review purposes? (Like, cough, strcpy?)<br /><pre>find . -type f -exec grep -l strcpy \{} \; | sed -s s:^./:$PWD: &gt;STRCPY_INDEX<br />mkdir STRCPY<br />ln -sf $(cat STRCPY_INDEX) STRCPY</pre>swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-67896805767416074462010-05-03T23:09:00.001-07:002010-05-03T23:50:50.581-07:00More Fun With the Malware Analysis Environment (MalNet)Last fall I put together a LiveCD to support Wes Brown's <a href="http://www.ioactive.com/news-events/BrownHackBox09PR.html">Malware Analysis Workshop</a> at Hack in the Box Malaysia 2009 using Debian, a lot of bailing wire, and some duct tape. The disc has attracted some attention, especially at B-Sides, but is not distributable for several reasons:<br /><ul><li>It is a sealed box; any updates you make disappear when someone pushes the pretty red button.</li><br /><li>It requires a Windows Virtual Machine; no, we cannot give you ours.</li><br /><li>If Debian Stable did not like your video card, neither did our LiveCD.</li><br /><li>Ditto for your network card. Well, triple for your network card. Who in the audience did not bring a 3c905-TX NIC, please raise your hands?</li></ul><br /><br />The latest Ubuntu release, <a href="https://wiki.ubuntu.com/LucidLynx/TechnicalOverview">Lucid Lynx</a>, fixes the last two problems. That is a big deal for me, as the lack of good NVidia and ATI support was a problem for me as well as some participants. Ubuntu's LiveCD seems to do the right thing, which is great news for me. The second problem is a big one, and comes down to a need to document the work required for building a virtual machine that can be instrumented by our tools. And, like any large and boring problem, I am going to ignore it.<br /><br />But, I think the first one will be fun to solve. It starts with stealing a page from <a href="http://waspvm.blogspot.com">WaspVM and MOSREF</a> and building a <a href="http://en.wikipedia.org/wiki/Meta-circular_evaluator">metacircular</a> environment. The Malware Analysis Environment should be able to serialize itself to either an ISO9660 filesystem or a USB flash drive as needed, and boot from either of those two source. It should also be able to "checkpoint" changes to the filesystem and load them up as overlays -- a trick borrowed from my customizations of <a href="http://finnix.sf.net">Finnix</a> which never saw the light of day.<br /><br />Combine those two tools, and it should be possible for analysts using MalNet to customize their environment, install the <a href="http://vim.org">One True Editor</a>, or even download updates. Maybe, if I'm really lucky, I can even factor myself out of the day to day maintenance. More time to start new pet projects is always good.<br /><br />So far, I have converting from a CDROM or ISO filesystem to USB figured out and working nicely. Converting backwards should follow soon behind -- this is just flopping between syslinux and isolinux using either block devices or loop mounted files. Next up is figuring out how to trick Casper into checkpointing to the boot drive or committing the time to actually writing a serialize-to-squashfs script of my own.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-8056370792061840702010-04-17T13:00:00.001-07:002010-04-17T13:08:12.643-07:00Where Scott Inserts Foot in Mouth at NotaconSo.. Preview night.. I am a little twitchy after previewing NoSpex without a slide stack.. There is a really off the wall preview for a presentation on "Building the Digital City" by er.. Some guy. I didn't catch the name; the premise is very 40,000 foot, and as a pragmatic hacker, I had no clue what he was getting at. There was, however, a question about why the flat encyclopedia model took over the digital media world.<br /><br />So, I had two immediate ideas. The first was that "article content" is really low barrier to entry. Anyone who paid attention in English class knows how to compose paragraphs and express an idea in bare text. I sat on that one, defending ASCII text seemed like a losing proposition. So the other, which I thought would be sympathetic, was decrying the death of <a href="http://en.wikipedia.org/wiki/HyperCard">HyperCard</a>, which was the first moderately successful rich authoring environment in my mind. (Doesn't hurt that there was an "Apple is Evil" comment earlier stuck in my head.)<br /><br />It wasn't until the next day, in a conversation with <a href="http://criticalresults.com">Mark Schumann</a> that I understood why the presenter gave me an odd look. Turns out he was <a href="http://en.wikipedia.org/wiki/Marc_Canter">Marc Canter</a>, one of the bright minds from the original Macromedia. So.. Ahem.. Making friends at Notacon 7!swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-10685565123559549472010-04-17T12:19:00.001-07:002010-04-17T13:10:11.110-07:00Where Scott Whines About SecDev Burnout..So, I spent last 45 days spending all of my out-of-band coding time working on <a href="http://nospex.googlecode.com">NoSpex</a> -- a realtime graphing library for process display and analysis. That is my karmic punishment for jokingly suggesting "Hey, I could graph threads talking to each other in my recent reverse engineering project" for a proposal in response to <a href="www.notacon.org">Notacon 7</a>.<br /><br />The presentation was way too early for me, a west coaster in Ohio, and seemed too early for the con in general. I appreciate N7's staff for having me, I was not too friendly in the whole proposal process, so I deserved that "first slot on the first day" spot. That said, having spent 45 days working on something almost as complicated as the first rounds of Mosquito or IPAF to an audience of 20 was pretty disappointing.<br /><br />I am going to dedicate my out-of-band time for the next month or two to game development; maybe a <a href="http://roguebasin.roguelikedevelopment.org/index.php?title=7DRL">Seven Day Roguelike</a>. It is not very well timed, with Blackhat and DefCon's Call for Papers windows opening up, but a little fun is in order.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0tag:blogger.com,1999:blog-6532011216065208777.post-34773181042203865302010-04-17T12:15:00.000-07:002010-04-17T13:10:54.141-07:00Where Scott Creates a New Blog.... again. With my current work load at <a href='www.ioactive.com'>IOActive</a>, it is obvious that I'm not going to have time to touch WaspVM for a while. This means that my usual outlet, <a href='waspvm.blogspot.com'>WaspVM Developments</a> has gone stale. I want to keep WaspDev focussed on improvments to WaspVM and MOSREF, so I have decided to create a new journal for my other projects and personal commentary.swdunlophttp://www.blogger.com/profile/09410793088283629174noreply@blogger.com0